Hybrid BCS Part 4 – Connect to on-premises services


Setting a hybrid connection between you SharePoint Online and on-premises required communication trusts between the 2 farms. Refer to this article Configuring Hybrid Infrastructure for more details on how to configure your hybrid infrastructure.

Validate external access to reverse proxy

At this point in deploying the BCS hybrid scenario, you should confirm that you can access your on-premises SharePoint 2013 farm that has been configured to receive hybrid calls from SharePoint Online.

To confirm access to external URL:

  1. Copy the certificate to your extranet computer, and then click the certificate. You will be prompted for the certificate password. This adds the certificate to your personal certificate store.
  2. Open a web browser and browse to the externally published URL of your on-premises farm. You should be prompted for credentials. If not, check your browser settings and make sure that your logged on credentials are not being automatically passed.
  3. Provide the credentials of the federated user. This log on must succeed and you should see the published site. If this does not work, contact the administrators who set up your hybrid infrastructure. Do not proceed any further with the BCS hybrid scenario until this issue is resolved.

Prepare your tenant environment

In order to allow your SharePoint Online tenant to connect to your on-premises tenant, you will need to configure your security to allow accepting connection to your services. The following steps are an example of what you need to establish a trust between your Online and on-premises tenants.

  1. Click a service account that will access the OData service endpoint that you have previously configured; this procedure will be called ODataAccount
  2. Create a global security group for your OData service endpoint; this procedure will be called ODataGroup
  3. Add the service account to the global security group

Configure Secure Store target application

  1. Go to your on-premises tenant SharePoint Central Administration
  2. Navigate to Application Management > Manage service applications
  3. Click the Secure StoreI
  4. if you have never used your Secure Store, you will need to generate a new key first
  5. Click on Generate New Key
  6. Enter your Passphrase then click OK
  7. Click on New under Manage Target Applications
  8. Enter the name of your application, the display name, and your email address
  9. Select Group in the Target Application Type
  10. Click Next
  11. Accept the defaults values in the Create New Secure Store Target Application page
  12. Click Next
  13. Enter the Farm Administrator account in the Target Application Administrators, and enter the group name you created for you OData Service Endpoint in the Members section
  14. Click OK
  15. Click OK


A pass phrase string must be at least eight characters and must have at least three of the following four elements:

  1. Uppercase characters
  2. Lowercase characters
  3. Numerals
  4. Any of the following special characters
    "! " # $ % & ' ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~


The pass phrase that you enter is not stored. Make sure that you write this down and store it in a safe place. You must have it to refresh the key, such as when you add a new application server to the server farm.

For security precautions or as part of regular maintenance you may decide to generate a new encryption key and force the Secure Store Service to be re-encrypted based on the new key. You can use this same procedure to do this.


You should back up the database of the Secure Store Service application before generating a new key.

Set Permissions on your Online BCS

Setting your permissions on your Online BDC Metadata store is different than the on-premises tenant.

    1. Open your SharePoint Online administration page
    2. Click on bcs
    3. Click on Manage BDC Models and External Content Types
    4. Under Permissions, click on Set Metadata Store Permissions
    5. Select All users then set the Execute
    6. Select the checkbox to Propagate permissions to all BDC Model
    7. Click OK

Connect your O365 BCS to your on-premises

Unlike BCS in SharePoint 2013, BCS in SharePoint Online requires that you configure a connection settings object (CSO), which contains additional information to establish the connection to the external system and the OData source you have created.

When you create a CSO in your SharePoint Online tenant, you must provide a URL for your on-premises farm (the external URL you have configured in your reverse proxy to connect to your internal SharePoint services). Your SharePoint Online tenant will try to reach out to that endpoint in order to invoke your on-premises BCS and connect to your data source.

Whatever URL you may choose to publish, your CSO must have /_vti_bin/client.svc at the end of the URL in order to work properly.

Before you begin this procedure, make sure you have the following:

  1. Install configuration tools on an on-premises web server.
  2. The ID of the Secure Store target application that you configured.
  3. The Internet-facing URL that Office 365 uses to connect to the service address and that was published by the reverse proxy
  4. The ID of the Secure Store target application for the Secure Channel certificate in Office 365.

To create a CSO to your on-premises tenant:

  1. Open your SharePoint Online administration page
  2. Click on bcs
  3. Click Manage connections to on-premises services
  4. Click Add
  5. Enter the Title and the OData Service Address URL
  6. Under Authentication, select Use credentials stored in SharePoint on-premises
  7. Enter the Secure Store Target Application ID
  8. Under Authentication Mode, select Impersonate Window’s Identity
  9. Enter the internet facing URL you have configured under the reverse proxy; make sure you include /_vti_bin/client.svc at the end of the URL
  10. Click Create

Since your model will be using your Connection Settings object that you create in your SharePoint Online in order to connect to the on-premises data, there are some changes you need to make to it; if you do not do this then your model will not be able to connect to the on-premises data source:

  1. Make a copy of the ECT file that you'll be importing so you don't break the version you have with your OData project
  2. Delete the ODataServiceMetadataUrl and ODataServiceMetadataAuthenticationMode properties from the LobSystem property list in the ECT file
  3. Delete the ODataServiceUrl and ODataServiceAuthenticationMode properties from the LobSystemInstance property list in the ECT file
  4. Add this property to the list of properties for both the LobSystem and LobSystemInstance:  <Property Name="ODataConnectionSettingsId" Type="System.String">yourConnectionSettingsObjectName</Property>

Import your ECT file to SharePoint Online

Similar to the steps for your on-premises tenant, you need to import your new ECT file you have modified in the previous section to your SharePoint Online BCS tenant.

  1. Open your SharePoint Online administration page
  2. Click on bcs
  3. Click on Manage your BDC Models and External Content Types
  4. Click on Import
  5. Navigate to your ECT file locations and import each ECT file; as an alternative solution, you can develop a PowerShell script to import all the files
  6. Click OK

Once your model is uploaded successfully you can create a new External List in SharePoint Online and use that to work with your on-premises LOB data.

Follow this article to create an External List.


<< Previous – Part 3 – External Content Type Configuration 

>> Next – Part 5 – Validation

  • Wednesday, August 26, 2015 By : Mike Maadarani    0 comment